←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 9 comments | 12 Nov 20 21:00 UTC | HN request time: 0s | source | bottom
Show context
submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #
vsskanth ◴[12 Nov 20 21:30 UTC] No.25075338[source]
Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?
replies(4): >>25075370 #>>25075733 #>>25076033 #>>25078236 #
loeg ◴[12 Nov 20 22:04 UTC] No.25075733[source]
The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

replies(6): >>25075811 #>>25075817 #>>25076021 #>>25076039 #>>25076087 #>>25076418 #
1. valuearb ◴[12 Nov 20 22:10 UTC] No.25075817{3}[source]
What’s the alternative tho?
replies(4): >>25075871 #>>25075879 #>>25076057 #>>25076167 #
2. LgWoodenBadger ◴[12 Nov 20 22:13 UTC] No.25075871[source]
Publish revocations as security updates to the OS?
replies(1): >>25075999 #
3. jimmaswell ◴[12 Nov 20 22:14 UTC] No.25075879[source]
You don't need an alternative. The entire concept is totally unnecessary.
4. valuearb ◴[12 Nov 20 22:23 UTC] No.25075999[source]
Security updates take too long. How bout each copy of MacOS keeps local copy of revocation database, and updates in background?

Much faster, updates relatively quickly, and not subject to network outages.

replies(1): >>25077030 #
5. loeg ◴[12 Nov 20 22:28 UTC] No.25076057[source]
A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

replies(1): >>25076257 #
6. fortran77 ◴[12 Nov 20 22:38 UTC] No.25076167[source]
Microsoft Windows 10.
7. valuearb ◴[12 Nov 20 22:44 UTC] No.25076257[source]
This is exactly right, and given Apple’s privacy commitment should have been implemented already.
8. cromka ◴[13 Nov 20 00:01 UTC] No.25077030{3}[source]
I'd imagine that revocations don't happen often. And when they do, Apple has a perfectly capable infrastructure to push those small incremental changes on demand. It's almost as if they intentionally ignored such superior solution and chose calling home for other reasons...
replies(1): >>25078918 #
9. throwaway888abc ◴[13 Nov 20 04:36 UTC] No.25078918{4}[source]
That way (current) Apple also has the app usage statistic ?